Sponsored Ads

The Web Security Mailing List

"Previously, when people typed in a legitimate e-mail address on Facebook's password reset page
they got a message either saying that their password had been reset or
that an e-mail with instructions on how to reset the password had been
sent to their e-mail account, thus providing verification that the
e-mail address is legitimate. When a fake e-mail address was typed in
they got a message that said "Unregistered Email. The email address you
entered has not been registered."

Now, every password typed in gets the same message: "Your password has
been reset. An e-mail has been sent to all contact e-mails associated
with your account, including (the one typed in)."" - CNET

This is one of those flaws you rarely hear about that have a real impact. The primary reason for gathering this is to perform targeted phishing.